Personal medical information may be the only type of data that is more valuable to internet ne’er-do-wells than credit card information. Health care data breaches are serious business so having security measures in place to protect patient information is critical. The federal government passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to help address this situation.
Companies that deal with patient health information usually need to be HIPAA-compliant. We’ve already outlined the basic litmus test for whether HIPAA compliance is necessary in another post so there’s no need to rehash it here.
Compared to other security standards, like PCI-DSS, HIPAA doesn’t have a set of codified benchmarks, but rather a set of guidelines that inform compliance. Nevertheless, the process for achieving compliance for either standards is similar in a number of places.
Know Your Role
In the HIPAA framework there are two different types of entities, covered entities and business associates.
Covered entities include healthcare providers (like doctors), health plans, or healthcare clearinghouses. In essence, this refers to any entity that creates or needs access to patient data. For example, a doctor’s office is a covered entity because doctors create medical records. An insurance company is also a covered entity because they need to access medical records in order to know how to bill patients.
The Department of Health & Human Services defines a business associate as “… a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” This means that companies that handle things like accounting, processing payments, or legal services for a covered entity qualify as a business associate.
It’s necessary to categorize sensitive information in order to get a clear understanding of what is being protected and where. When thinking about HIPAA the two most relevant categories are Protected Health Information (PHI) and Personally Identifiable Information (PII).
For the most part, PHI consists of one’s medical records and information directly related to those. This means any past, present, or future diagnoses, medical history, and any medical payments.
Conversely, PII is much broader. PII includes any information that can directly, or in association with other information, be used to positively identify a person. This includes things such as name, address, biometric information, social security number, place of birth, mother’s maiden name, or any other similar type of information.
There are occasions for overlap between PHI and PII. A birth or death certificate could fall into both camps. Because it’s possible to use financial records to identify someone, any payments or financial transactions related to health care could qualify for both categories as well.
When seeking HIPPA compliance the key it to understand what type of information you’re dealing with, where it comes from, and how it’s used.
The federal government provides a self-assessment tool that companies may find useful to get an initial assessment of their system. But it may not be relevant for everyone and you’ll need a lot more than a simple download to achieve and maintain HIPAA compliance. Fortunately, like tandem skydiving, HIPAA compliance isn’t something that needs to be done in isolation. The best way to get the process started it to contact a licensed IT security firm that is experienced with HIPAA.
The HIPAA process is not an audit, but rather an assessment. This entails a review of a company’s policies and procedures to make sure they are in accordance with federal government mandates. After an initial review, the assessor notes the aspects of the environment that already meet the guidelines and those that need additional attention. Whereas PCI has a template to determine what passes muster and what doesn’t, HIPAA’s guidelines are broader and offer more of a spectrum to meet the standards rather than a checklist.
HIPAA assessors look at a wide variety of data and documentation to determine whether a tech environment is HIPAA-compliant. This includes system scans and data logs that verify that the system does not expose individual patient data. The HIPAA assessor also closely scrutinizes the firewalls, network schematics, and diagrams during the process.
Having a physically secured data center that is monitored 24/7 also contributes to HIPAA compliance. The building that houses the data center itself must also be HIPAA compliant. This is true regardless of whether a company keeps their servers in their own building or lease space in an external data center.
As far as procedures, HIPAA evaluates the number and types of verifications one must go through before gaining access to the environment. Assessors will actually look over an engineer’s shoulder as they access the environment to obtain this information. HIPAA also requires a risk assessment matrix and a sanction policy, the latter of which details the steps to be taken if a breach does occur. An incident recovery plan that specifies what happens in the case of an emergency, such as a power surge or natural disaster that comprises data availability or integrity, falls within the HIPAA guidelines as well.
The entire process takes an assessor several visits and can stretch from a few weeks to a few months in duration.
Companies aren’t guaranteed an annual audit by the federal government. But, like taxes, it’s better to do an assessment every year just in case you do get audited. A few dollars spent in the present can save major cash down the line.
Still, the process isn’t cheap and maintaining compliance takes a considerable amount of time, money, and resources. Documentation is a major aspect of HIPAA compliance and therefore having a compliance officer or project manager dedicated to monitoring and maintaining the necessary documentation is advisable. In addition, there is a need for technical skills in some combination of network engineers, system engineers, software engineers, as well as legal counsel for any legal questions or issues that may arise during the process.
In addition to an annual assessment, and to obtain the documentation necessary to ensure that assessment goes smoothly, regular internal and external scanning and testing is necessary. Monthly internal scans document the state of the environment throughout the year. External scans are required on a quarterly basis. These must be performed by a licensed IT security firm and pretty much consist of the firm trying to hack the environment to expose weaknesses.
Once an environment is recognized as HIPAA-compliant there is no formal Attestation of Compliance like with PCI.
Putting the Work in
Clearly, a considerable amount of time, money, and resources goes into establishing and maintaining HIPAA compliance. Fortunately, for companies that require HIPAA compliance for their voice or SMS communications, Plum Voice does all of this work for you. Our Plum DEV platform is HIPAA-compliant. That means companies can, in effect, use Plum’s technology, which makes that component of their communications compliant without having to go through the process themselves.